Hackers are employing a new method to hide malicious code in macOS extended file attributes, facilitating the delivery of a trojan known as RustyAttr, cybersecurity firm Group-IB reports. This technique uses custom metadata and decoy PDF files to avoid detection, reminiscent of the 2020 Bundlore adware that used resource forks. Group-IB attributes the samples to the Lazarus group with moderate confidence, suggesting the attackers are testing new ways to deliver malware. The method proved effective, as Virus Total's security engines did not flag the compromised files. RustyAttr apps are built with the Tauri framework, combining JavaScript and Rust, which extracts the hidden code and executes it via a shell script. Decoy PDFs hosted on a pCloud instance, aligned with cryptocurrency themes, help disguise the activity, while the malware connects to known Lazarus infrastructure to fetch subsequent stages.
Experimentation with macOS evasion has parallels to SentinelLabs' findings on BlueNoroff, another North Korean-linked group using cryptocurrency-related phishing to breach macOS without detection.
Read more...